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Abstract. Linear-Rate Multi-Mode Systems is a model that can be seen both as a 
subclass of switched linear systems with imposed global safety constraints and as 
hybrid automata with no guards on transitions. We study the existence and design of a 
controller for this model that keeps the state of the system within a given safe set for 
the whole time. A sufficient and necessary condition is given for such a controller to 
exist as well as an algorithm that finds one in polynomial time. We further generalise 
the model by adding costs on modes and present an algorithm that constructs a safe 
controller which minimises the peak cost, the average-cost or any cost expressed as a 
weighted sum of these two. Finally, we present numerical simulation results based on 
our implementation of these algorithms. 



1 Introduction 

Optimisation of electricity usage is an increasingly important issue because of the growing 
energy prices and environmental concerns. In order to make the whole system more effi- 
cient, not only the average electricity consumption should be minimised but also its peak 
demand. The energy produced during the peak times, typically occurring in the afternoon 
due to the heaters or air-conditioning units being switched on at the same time after peo- 
ple come back from work, is not only more expensive because the number of consumers 
outweighs the suppliers, but also the peaking power plants that provide the supply at that 
time are a lot less efficient. Therefore, the typical formula that is used for charging compa- 
nies for electricity is a weighted average of its peak and average electricity demand 1 14 I]. 
Optimisation of the usage pattern of heating, ventilation and air-conditioning units (HVAC) 
not only can save electricity but also contribute to their longer lifespan, because they do not 
have to be used just as often. 

In |9| Nghiem et al. considered a model of an organisation consisting of a number of 
decoupled zones whose temperature have to remain within a specified comfort temperature 
interval. Each zone has a heater with a number of possible output settings, but the controller 
can pick only one of them. That is, the heater can either be on in that one setting or it has 
to be off otherwise. A further restriction is that only some fixed number of heaters can be 
on at any time. The temperature evolution in each zone is governed by a linear differential 
equation whose parameters depend on the physical characteristics of the zone, the outside 
temperature, the heater's picked setting and whether it is on or off. The aim is to find a safe 
controller, i.e. a sequence of time points at which to switch the heaters on or off, in order for 
the temperature in each zone to remain in its comfort interval which is given as the input. 
In the end, it was shown that a sufficient condition for such a controller to exist is whether a 
simple inequality holds. This fact can be used to minimise the peak number of heaters used 



at the same time, but if heaters can have different costs, then this may not correspond to 
minimising the peak energy cost. 

We strictly generaUse the model in f9\ and define linear-rate Multi-Mode Systems (MMS). 
The evolution of our system is the same, specifically it consists of a number of zones, which 
we will call variables, whose evolution do not directly influence each other. However, we 
do not assume that all HVAC units in the zones are heaters, so the system can cope with a 
situation when cooling is required during the day and heating during the night. Moreover, 
rather than having all possible combinations of settings allowed, our systems have a list of 
allowable joint settings for all the zones instead; we will call each such joint setting a mode. 
This allows to model specific behaviours, for instance, heat pumps, i.e. when the heat moves 
from one zone into another, and central heating that can only heat all the zones at the same 
time. Finally, we will be looking for the actual minimum peak cost without restricting our- 
selves to just one setting per heater nor the number of heaters being switched on at the same 
time, while keeping the running time polynomial in the number of modes. We also show 
how to find the minimum average-cost schedule and finally how to minimise the energy bill 
expressed as a weighted sum of the peak and the average energy consumption. 

Related work. Apart from generalising the model in |9 1, MMSs can be seen both as switched 
linear systems (see, e.g. |5 12|) with imposed global safety constraints or as hybrid automata 
(" II3I6I ) with no guards on transitions. The analysis of switched linear systems typically fo- 
cuses on several forms of stabilisation, e.g. whether the system can be steered into a given 
stable region which the system will never leave again. However, all these analyses are done 
in the limit and do not impose any constraints on the state of the system before it reaches 
the safe region. Such an analysis may suffice for systems where the constraints are soft, e.g. 
nothing serious will happen if the temperature in a room will briefly be too high or too low. 
However, it may not be enough when studying safety-critical systems, e.g. when cooling 
nuclear rectors. Each zone in an MMS is given a safe value interval in which the zone has 
to be at all times. This causes an interesting behaviour, because even if the system stabilises 
while staying forever in any single mode, these stable points may be all unsafe and therefore 
the controller has to constantly switch between different modes to keep the MMS within the 
safety set. For instance, a heater in a room has to constantly switch itself on and off as 
otherwise the temperature will become either too high or too low. On the other hand, even 
the basic questions are undecidable for hybrid automata (see, e.g. fT\) and therefore MMSs 
constitute its natural subclass with decidable and even tractable safety analysis. 

In ||2l we recently studied a different incomparable class of constant-rate Multi-Mode 
Systems where in each mode the state of a zone changes with a constant-rate as opposed 
to being govern by a linear differential equation as in linear-rate MMS. Specifically, in ever 
mode m E M the value of each variable x, after time f increases by • t where € M 
is the constant rate of change of x, in mode m. That model was a special case of linear 
hybrid automata (|3 1), which has constant-rate dynamics and linear functions as guards on 
transitions. We showed a polynomial-time algorithm for both safe controllability and safe 
reachability questions, as well as finding optimal safe controllers in the generalised model 
where each mode has an associated cost per time unit. 

There are many other approaches to reduce energy consumption and peak usage in build- 
ings. One particularly popular one is model predictive control |4 1 (MPC). In 1 1 1 1 stochastic 
MPC was used to minimize building's energy consumption, while in [8J the peak electricity 
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demand reduction was considered. The drawback of using MPC in our setting is its high 
computational complexity and the fact it cannot guarantee optimality. 

Results. The key contribution of the paper is an algorithm for constructing a safe controller 
for MMSs with any starting point in the interior of the safety set that we present in Section 
[3] Unlike in f9l, we not only show a sufficient, but also necessary, condition for such a safe 
controller to exist. The condition is a system of linear inequalities that can be solved using 
polynomial-time algorithms for linear programming (see, e.g. ||T3l ) and because that system 
does not depend on the starting state, we show that either all points in the interior of the safe 
set have a safe controller or none of them has one. Furthermore, we show that if there is a 
safe controller then there is a periodic one with the minimum dwell time, i.e. the smallest 
amount of time between two mode switches, being of polynomial-size. Such a minimum 
dwell time may be still too low for practical purposes. However, we prove that the problem 
of checking whether there is a safe controller with the minimum dwell time higher than 1 (or 
for any other constant) is PSPACE-hard. This means that any approximation of the largest 
minimum dwell time among all safe controllers is unlikely to be tractable. 

In Section]?] we generalise the MMS model by associating cost per time uirit with each 
mode and looking for a safe schedule that minimises the long-time average-cost. Similarly 
as before, if there is at least one safe controller, then the optimal cost do not depend on the 
starting point and there is always a periodic optimal controller. In order to prove that the 
controller that we construct has the minimum average-cost it is crucial that the condition 
found in Section]3]is both sufficient and necessary. Furthermore, in order to check whether 
there exists a safe controller with a peak cost at most p, it suffices to check safe controllabil- 
ity for the set of all modes whose cost do not exceed p. This allows us to find the minimum 
peak cost using binary search on p. 

We show that all these periodic safe (and optimal) controllers can be constructed in time 
polynomial in the number of modes. However, if one considers the set of modes to be given 
implicitly as in |9| where each zone has a certain number of settings and all their possible 
combinations are allowed then the number of modes becomes exponential in the size of the 
input. We try to cope with the problem by performing a bottom-up binary search in order 
to avoid analysing large sets of modes and use other techniques to keep the running time 
manageable in practice. 

Finally, we show how to find the minimum total cost calculated as a weighted sum of 
the peak cost and the average cost. The challenging part is that peak cost generally in- 
creases when the set of modes is expanded while the average-cost decreases. Therefore, the 
weighted cost may not be monotone in the size of set of modes and so binary search may 
not work and finding its minimum may require checking many possible subsets of the set of 
modes. However, we show a technique how one can narrow down this search significantly 
to make it practical even for a large sets of modes. 

In the end, we conclude and point out some possible future work in Section ]6] 

2 Linear Multi-Mode Systems 

Let us start by setting the notation. We write N for the set of natural numbers, N>o for the 
set of positive integers and Z for the set of integers. For a set X, let \X \ denote the number of 
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elements in X. Also, we write M, M>o, and K>o for the sets of all, non-negative and strictly 
positive real numbers, respectively. States of our system will be points in the Euclidean 
space K" equipped with the standard Euclidean norm || • ||. By we denote points in this 
state space, by /, v vectors, while x{i) and /(;) will denote the i-th coordinate of point x 
and vector /, respectively. For O e {<,<,>,>}, we write xOy if x{i) Oy{i) for all i. For a 
n-dimensional vector v by diag(v) we denote anxn dimensional matrix whose diagonal is 
V and the rest of the entries are 0. We can now formally define our model. 

Definition 1. A linear-rate multi-mode system (MMS) is a tuple = {M,N,A,B) where 
M is a finite nonempty set o/ modes, A'^ is the number of continuous-time variables in the 
system, and A : M ^ ^>o ,B : M ^ M.^ give for each mode the coefficients of the linear 
differential equation that govern the dynamics of the system. 

In all further computational complexity considerations, we assume that all real numbers 
are rational and represented in the standard way by writing down the numerator and denom- 
inator in binary. Throughout the paper we will write and b^ as a shorthand for A(ot) (j) 
and B(m){i), respectively. 

A controller of an MMS specifies a timed sequence of mode switches. Formally, a 
controller is defined as a finite or infinite sequences of timed actions, where a timed ac- 
tion (m,f) S M X ]R>o is a tuple consisting of a mode and a time delay. We say that an 
infinite controller ((mi,fi), (m2,?2), ■ • •) is Zeno if YX=i h <°° and is periodic if there ex- 
ists / > 1 such that for all A: > 1 we have {mi^,tk) = mod mod z)+i)- Zeno con- 
trollers require infinitely many mode-switches within a finite amount of time, and hence, 
are physically unrealizable. However, one can argue that a controller that switches after 
tit = 1/k amount of time during the A:-th timed action is also infeasible, because it requires 
the switches to occur infinitely frequently in the limit. Therefore, we will call a controller 
feasible if its minimum dwell time, i.e. the smallest amount of time between two mode 
switches, is positive. We will relax this assumption and allow for the modes that are not 
used at all by a feasible controller to occur in its sequence of time actions with timed 
delays equal to 0, but we still require any feasible controller to be non-Zeno. For a con- 
troller a = ((mi,?i), (m2,?2))- ••). we write 71((J) = Ef=i?i for the total time elapsed up to 
step k of the controller a, T^{c7) = T.i<t.mi=mti for the total time spent in mode m up to 
step k, and finally fmin(<7) = inf{^:. (^>o}f^ defines the minimum dwell time of a. For any 
non-Zeno controller a we have that ]imk-^o<, Tk{a) = <» and for any feasible controller a 
we also have fmin(f ) > 0- Finally, for any f > let (7(f) denote the mode the controller 
a directs the system to be in at the time instance /. Formally, we have o{t) = m^ where 
k = min{i:t <Ti{a)}. 

The state of MMS initialized at a starting point xq under control CJ is a A^-tuple of 
continuous-time variaWeix(f) = (xi(f), . ..,Xf^{t)) such that x(0) =xo andx(/) =B{a{t)) — 
diag{A{a(t)))\{t) holds at any time t G M>o. It can be seen that if is in mode m dur- 
ing the entire time interval [fo,fo + f] then the following holds x,(fo + f) =bf /af + {xi(tQ) — 
bf /a™)e""i Notice that this expression is monotonic in t and converges to bf /af, because 
based on the definition of MMS we have > for all m and i. 

Given a set 5 C MJ^ of safe states, we say that a controller a is 5-safe for MMS ,if 
initiahsed at xq if for all f > we have x(/) e S. We sometimes say safe instead of 5- 
safe if 5 is clear from the context. In this paper we restrict ourselves to safe sets being 
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hyperrectangles, which can be specified by giving lower and upper bound value for each 
variable in the system. This assumption implies that controller a is 5-safe iff x(f ) e S for all 
t E {Tkicr) '. k > 0}, because each x,(f) is monotonic when J^f remains in the same mode 
and so if system is 5-safe at two time points, the system is 5-safe in between these two 
time points as well. This fact is crucial to the further analysis and allows us to only focus 
on 5-safety at the mode switching time points of the controller Formally, to specify any 
hyperrectangle S, it suffices to give two points 7, m e M.^, which define the region as follows 
S — {x : I <x <u}. The fundamental decision problem for MMS that we solve in this paper 
is the following. 

Definition 2 (Safe ControllabOity). Decide whether there exists a feasible S-safe con- 
troller for a given MMS Jif, a hyperrectangular safe set S given by two points I and u 
and an initial point xq S S. 

The fact that a"' > for all m and / make the system stable in any mode, i.e. if the 
system stays in any fixed mode forever, it will converge to an equilibrium point. However, 
none of these equilibrium points may be S'-safe and as a result the controller may need 
to switch between modes in order to be 5-safe. We present an algorithm to solve the safe 
controllability problem in Section|3]and later, in Section]?] we generalise the model to MMS 
with costs associated with modes and the aim being finding a feasible 5-safe controller with 
the minimum average-cost, peak cost, or some weighted sum of these. As the following 
example shows, safe controllability can depend on the starting point if it lies on the boundary 
of the safe set. We will not analyse this special case and assume instead that the starting point 
belongs to the interior of the safe set. 

It should be noted that the definition of MMS allows for an arbitrary switching between 
modes. Restricting the possible order the modes can be used in a timed sequence will be the 
subject of Corollary]!] 

Example 1. Consider an apartment with two rooms and one heater The heater can only 
heat one room at a time. When it is off, the room temperature converges to the outside 
temperature of 12°C, while if it is constantly on, the temperature of the room converges to 
30°C. We assume the comfort temperature to be between 18°C and 22°C. The table below 
shows the coefficients b'" for all modes m and rooms /, while all the fl"'-s are assumed to be 
equal to 1 . Intuitively, when heating room 1 and 2 half of the time each, the temperature in 
each room should oscillate around (30°C +12°C)/2 = 21°C and never leave the comfort zone 
assuming the switching occurs frequently enough. We will prove this intuition formally in 
Section ]3] Therefore, as long as the temperature in one of the rooms is above 18°C at the 
very beginning, a safe controller exists. However, if the temperature in both rooms start at 
18°C (a state which is safe), a safe controller does not exists, because in every mode the 
temperature has to drop in at least one of the rooms and so the state becomes unsafe under 
any control. 



Modes 


m\ 


'«2 


OT3 


Zj'f (Room 1) 


12 


30 


12 


Z7^" (Room 2) 


12 


12 


30 
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3 Safe Schedulability 



Let us fix in tliis section a linear-rate MMS = {M,N,A,B) and a safe set S given by two 
points / , M e M.^, such that J <u and S = {x:J <x<u}. We call any vector / e R^q such that 
LmeMfim) = 1 a frequency vector. Also, let us define f)- (/,>') := LmeMf{m){b'J' - afy). 
Notice that for a fixed i and frequency vector /, function fl(/,>') is continuous and strictly 
decreasing in y. Moreover, Fi{af + ^g,y) = aFi{f,y) + j5Fi{g,y). For a frequency vector 
/, variable x,- is called critical if Fi{f,li) = or Fi{f,Ui) = holds. 

Definition 3. A frequency vector f is good if for every variable x, the following conditions 
hold (I) Fi{f,l) > 0, and (II) Fi{f,u) < 0. A frequency vector f is implementable if it is 

good and for every variable x,- we additionally have (III) if Fi(f,l) = then f{m) = for 
every meM such that bf/af ^ and (IV) ifFi{f,u) = then f{m) = for every mGM 
such that b'"/a'" ^ Ui. 

Tlieorem 1. If there exists a feasible S-safe controller then there exists an implementable 
frequency vector. 

Proof. Denote the feasible 5-safe controller by O. Let /j^^™' = T^"(o) /7i(<7) be the fraction 
of the time spent by a in mode m up to its A:-th timed action; note that fj^'"^ G [0) !]> and 
HmeMfk"^ = 1 for all k. Let us look at the sequence of vectors e [0, where 
we set fk{in) = fj,'"'^- Since this sequence is bounded, by the Bolzano-Weierstrass theorem, 
there exists an increasing integer sequence ji, j2, • • • such that lim<.^„o//^ exists and let us 
denote this limit by /. We prove by contradiction that / is an implementable frequency 
vector. 

First, / is a frequency vector as a limit of a sequence of frequency vectors. So if it was 
not an implementable one then for some variable x, at least one of the following would 
hold (I) FiifJi) < 0, or (II) Fi{f,Ui) > 0, or (III) FiifJi) = and the set M' := {m e M : 
f{m) >0&bf/af^ k} is nonempty, or (IV) Fi{f,ui) = and the set {meM: f{m) > 
& bf / af ^ Ui} is nonempty. We will consider only cases (I) and (III) as the other two are 
symmetric and their proofs are essentially the same. 

Let us first look at case (I). Denote c := Fi{f,li) < 0. Let Xm{t) be equal to 1 if (7(f) = m 
and let it be otherwise. Notice that x, (ri), the value of the variable x, after the A;-th timed 
action of a, is equal to x,(0) + /J* Xi{t)dt = x,(0) +1^^^ /o^* {bT - afxi{t))Xm{t)dt < Ui + 
E(neM T^ib'P — a"Ui), because if the system is 5-safe, then for every mode m we have bf — 
afxi < b'" — af li. From the definition of /, for any e > we can pick K such that for all 
k>K and meM we have \fj^ (m) - f{m) | < e. So 

xK7}J<S,+ E TJl{br-a^h)=Ui + Tj^ £ 4(m)(fcr-« 

meM meM 

= S/ + 7}, £ {f{m) + {fj,{m)-f{m))){br-aTU) 

meM 

< + L f{m){b'P-aTli) + e\M\c^))=Ui + Tj^{c + e\M\cr^^) 

meM 
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where Cmax max,„eM \b'f - afU] > \Fi{f, k) \ > 0. 

If we now set e to be — c/(2|M|cmax), which is > 0, then '!i.i{Tji^) < Ui + ^Tj^^c, and so 
Hm<.^„oX,(r,j.) = — oo, because a is non-Zeno and c < 0. This is a contradiction with the 
assumption that a is 5-safe, i.e. x, (f) > 7/ for all f > 0. 

Now let us move on to case (III). Let a^nax ■— niax,,,^^/ |fl™|, Cy^m ■= min„,£yv// \b"' — afli\ 
and fmin := fmin(o'). Of course c^in > 0, because b'" /a'" ^ U for m e M' and > 0, because 
a is feasible. Let y , which is > 0. 

Lemma 1. For at least half of the time duration of every timed action of O which uses 
mode e M', Xi{t) >li + Y holds. 

The proof of Lemma [T] can be found in the appendix. We can now proceed similarly as 
in case (I). We have that Xi{Tk) is equal to x,(0) + f^'' •ki{t)dt = x,(0) +'LnieM lo'' {b"' ~ 
a'!%{t))x,„it)dt < u,+'L,„eMTk"'ibT ~ afU) -\T'k<y^ because using Lemmajl] 
we know that for at least half of the time spent in any mode m e M' we have bf — a"'xi{t) < 
b'l' — a'"{li + y) and for the other half and any other m e M\M' v/e have bf — afxi{t) < 
b'p — a'"li. Again, from the definition of /, for any e > we can pick K such that for all 
k> K and m e M we have \fj^ (m) — f{m) \ < e and so 

meM meM' 

= «< + r,, E fjM)ibT-aTi,)-\T,j E 4H< 

meM meM' 

= + Tj, E ifH + if.k H - fH)) iK ^i.) \tjJ E {Km) + (.4 ("^) - fHM 

meM meM' 

<u, + Tj,{Y^K'nm~a'fU)+e\M\c^a,,))-\Tjj E (/H-e)«max 

meM meM' 

<M; + 7;-^(0 + e|M|c,nax + ^e7|A/'|flmax-^7 E /H)- 

meM' 

If we now set e := 27LmGM'/('w)/(2|A^|cmax + 7|A^'|flmax), which is > 0, then we get 
x,(7}t) < Ui - \TjjY.meMif{m), and so Hmi:^ooX,(r,J = -oo, because 7"LmeM'f{m) > 
and CT is non-Zeno. This is a contradiction with the assumption that a is 5-safe. 

Similarly we can show that neither case (II) nor case (IV) can hold which finishes the 
proof that / is an implementable frequency vector. □ 

Theorem 2. If there exists an implementable frequency vector then there exists a periodic 
S-safe controller for any initial state in the interior of the safety set. 

Proof. Let / be the implementable frequency vector. We first remove from M all modes m 
such that f{m) — 0. We claim that the following periodic controller a — {{mk,tk))1^^i with 
period \M\ is S'-safe for sufficiently small s: m^, = {k mod \M\) + 1 and t^ ~ f{mic) ■ s. As we 
already know it suffices to check S'-safety of the system at time points Tj;, for all k. We will 
focus here on checking just the lower bound, x(7yr-) > 7, because the estimations concerning 
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the upper bound are very similar. Note that for any variable x, we have 

" , and 





_ b'r 




b"." 


a. 


mf 
«i 


h 






m-) 
—a- -ti 


my ' 









a- 



and further by induction we get 



Now, because / is implementable, if Fi{f,li) = then it has to be bf /a"' = 7, for all m. In 
such a case, it is easy to see from equation that x,(r<.) > I,- for all A:, because xo{i) > h. 
Therefore, we can assume Fi{fJi) > 0. Let xj = x(7)|^|) for all / e N, = Y!j=k'h'^i ~ 

s-l!j=k'^"i'f{mj), a{s) "g-^r', and 



Notice that since o is periodic with period \M\ from equation ([T]) we can deduce (/) = 
a(.s)^/(/) + j3(5) for all Z. Now, because < a(.s) < 1 for all s, sequence xi{i) converges 
monotonically to j3 (i)/ ( 1 — a (s) ) as Z — >■ oo for any initial value xq (/) . 

We will now find s of polynomial size such that j3 (i)/(l — a(i)) > The last condition 
is equivalent to j3 (i) — 7, ■ + a (i)7, > 0, because \ — a{s) > 0. It is well-known that 1 — x < 
e^'' < 1—x+x^ for allx > 0. Let us also denote d := |7,| + |m, | + 2-max„,gM 1 4i™ /a"' |. Notice 
that for all m,m' e M we have {bf / a1' - bf / af \ < d, |7; < d, as well as |xo(/) - 

b'p/a'pl < d. Therefore, j3(^) - + a{s)li = {Xr^ - D+tvJi - %iTT)e 1"!-"+' + 



,'"1 |M| .1"! /„|M|-l.i.""" i ' \n ^ J /vlM| \A , 



If we now set s := ^/'^^ then the last expression will be > 0. Notice that this bound 



dm(Ln,f(>nK 

does not depend on the order of the modes in the period nor on the starting state. So if for 
any k < \M\ we repeat this estimation for the initial point x(7].), controller (j'(f ) := (7(f + T/^) 
and exactly the same s, the value of x,(r;|^j_|_^ — T^.) under control a' will also monotoni- 
cally converge to some value > 7, as I Therefore, as long as x{Tk) is a S'-safe for all 
k < \M\ for the just selected s, all states of the system that follow will be S'-safe as well. 
Now, if we repeat the same analysis for the upper bound m,- then we would get an expression 
- — Pi(f,ui) so it suffices to set i to be the minimum of these two. 



■ d\M\(L,„Am)"7?' 

Now, to find s such that the system is 5-safe for the first \M\ steps, we can estimate ^i{Tii) 
to be > xo(0 - Tk max™ \bf - afx{0) \ and < ^o(0 + ^ max„, \bf - afx{0) \ . We have 7i < s 
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for k < \M\ from the definition of (7 and so it suffices to set s min{M, ~ xo{i) ,xo{i) — 
7,}/max,„ j/?"' — fl™xo(/)| if maXm 1^7™ — a™x(0)| 7^ and otherwise set-to an arbitrary high 
value in order for the variable x, to be 5-safe in the first \M\ steps. 

Finally, if we pick the minimum value from these estimates on s over all possible vari- 
ables X;, we will guarantee that the system is both 5-safe in the first \M\ steps as well as 
after that, because x,(7]|yi^|+^) will monotonically converge for every fixed / and k < \M\ to 
a safe state as Z — )• °o. □ 

Theorem 3. Algorithm^returns in polynomial time a S-safe feasible controller from xq if 
there exists one. 

Proof. We first need the following lemma whose proof can be found in the appendix. 

Lemma 2. Either there is a variable which is critical for all good frequency vectors or 
there is a good frequency vector in which no variable is critical. 

Now, let a be the controller returned by Algorithm [T] Notice that the frequency vector 
f« the controller a is based on is implementable, because satisfies the constraints at line 
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which imply the conditions (I) and (II) of / being implementable and from Lemma [2] it 
follows that all modes that could violate the conditions (III) and (IV) were removed in the 
loop between lines [5|-[T0] Moreover, constant s used in the construction of a is exactly the 
same as the one used in Theorem |2] which guarantees a to be S'-safe. 

On the other hand, from Theorem[T] if there exists a feasible S'-safe controller then there 
also exists an implementable frequency vector /. Such a vector will satisfy the constraints 
of being good at line[2]of the algorithm. In the loop between the lines |5 10 all variables that 



are critical in / are first checked whether they satisfy conditions (III) and (IV), and they will 
satisfy them because / is implementable, and after that these critical variables are removed. 
Finally, / consisting of just the remaining variables will satisfy the constraints at line|7]of 
being implementable with no critical variables. Therefore, Algorithm[T]will always return a 
controller if there exists a 5-safe one. 

It is easy to see that Algorithm [T] runs in polynomial time, because at least one critical 
variable is removed in each iteration of the loop between lines [5 10 one iteration checks at 



most remaining variables, and each such a check requires calling a linear programming 
solver which runs in polynomial time. Finally, steps 4 and 13 of Algorithm[T]are achievable, 
because if a linear program has a solution then it has a solution of polynomial size (see, e.g. 
ifTSl ). This shows that the size of the returned controller is always polynomial. □ 

Notice that the controller returned by Algorithm [T] has a polynomial-size minimum 
dwell time. We do not know whether finding a safe controller with the largest possible dwell 
time is decidable, nor is checking whether such a minimum dwell time can be greater than 
> 1. We now show that the last problem is PSPACE-hard, so it is unlikely to be tractable. 
The details of the proof are in the appendix. Finally, this also implies PSPACE-hardness of 
checking whether a safe controller exists in the case the system is controlled using a digital 
clock, i.e. when all timed delays have to be a multiple of some given sampling rate A >Q. 

Theorem 4. For a given MMS Jf, hyperrectangular safe set S described by two points 7, u, 
starting point xq € S, checking whether there exits a S-safe controller with minimum dwell 
time > 1 is PSVACE-hard. 
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Algorithm 1: Finds a S'-safe feasible controller from a given xq e S. 

Input: MMS two points I and u that define a hyperrectangle S = {x :J <x <u} and an 

initial point xq £ S such that J <xq <u. 
Output: NO if no S-safe feasible controller exists frornxQ, and a periodic such controller, 
otherwise. 

1 I:=M- 

2 Check whether the following linear program is satisfiable for some frequency vector /: 

p;(/J/) >Oforalli e/ 
Fiif,"i) <Oforallie/. 

if no satisfying assignment exists then 

3 1^ return NO 

4 Let /* be any frequency vector of polynomial size that satisfies conditions in step|2] 

5 repeat 

6 foreach j e / do 

7 Check whether the following linear program is satisfiable for some frequency vector 

f;(/J,)>oforaii/e/\{;} 
f;(/,s,)<oforaii/e/\{;} 

F,(/,7^)>0andF^(/,S^)<0. 

if no satisfying assignment exists then 

8 If Fj{f*,li) = 0, remove all modes for which b'l'/a"' ^ Ij and otherwise remove 
all modes for which Z?™ /a"' 7^ 

9 Remove j from /. 

10 until no mode was removed from M in this iteration; 

11 Check whether the following linear program is satisfiable for any frequency vector /: 

Fi(f~k) >Oforalli e/ 
Fi{f,iii) < for all e /. 

if no satisfying assignment exists or M = Ql then 

12 1^ return NO 

13 Let be any frequency vector of polynomial size that satisfies conditions in step|l l| 

14 Let 

J ■= min I ™"{-^o(')-^i."/-^o(')} min(fi(/„Ji),f;(/^,M,-)) 

max„\b'p-a1'xQ{i)\ ' (|7,.| + +2 ■ max^ /flf |)(I„flf/»(m))2 

15 return the following periodic controller with period |M|: m^^ = {k mod |M|) + 1 and 
'k =f*{tnk)-s. 
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Proof. (Sketch) The proof is similar to the PSPACE-hardness proof in [2| of the discrete- 
time reachability in constant-rate MMS that reduces from the acceptance problem for linear 
bounded automata (LBAs), but our reduction is a lot more involved, because of the differ- 
ences in the dynamics of the system. For instance, we deal with a decision problem for the 
minimum dwell time of a safe continuous-time controller instead of a discrete-time one. 
Also, unlike for constant-rate MMS, there is no possibility to keep the value of any variable 
constant over time regardless of its current value. To overcome this problem, we will take 
advantage of the fact that for every LBA and input word, there exists an exponential upper 
bound on the number of steps this LBA can take before the input word is accepted. □ 

Notice that the periodic controller returned by Algorithm [T]just cycles forever over the 
set of modes in some fixed order which can be arbitrary. This allows us to extend the model 
by specifying an initial mode mo and a directed graph G C M x M, which specifies for each 
mode which modes can follow it. Formally, we require any controller ((mi ,fi), (m2,f2), • • •) 
to satisfy (m, , m,+i) e G for all / > 1 and mi = mo. The proof is in the appendix. 

Corollary 1. Deciding whether there exists a feasible S-safe controller for a given MMS 
Jif with a mode order specification graph G, initial mode mo, a hyperrectangular safe set S 
given by two points I and u and an initial point I <xq <u can be done in polynomial time. 

4 Optimal Schedulability 

In this section we extend our results on 5-safe controllability of MMS to a model with costs 
per time unit on modes. We will call this model priced linear-rate multi-mode systems. The 
aim is to find an 5-safe controller with the minimum cost where the cost is either defined as 
the peak cost, the (long-time) average cost or a weighted sum of these. 

Definition 4. A priced linear-rate multi-mode system (MMS) is a tuple M' — {M,N,A,B, 7t) 
where {M,N,A,B) is a MMS and 7t : M ^ M>o is a cost function such that %{m) charac- 
terises the cost per-time unit of staying in mode m. 

We define the (long-time) average cost of an infinite controller a = ((mi ,fi), (m2,f2), • • •) 
as the long-time average of the cost per time-unit over time, i.e. 

AvgCost(o') = limsup \ — - — • 

For the results to hold it is crucial that limsup is used in this definition instead of liminf. In 
the case of minimising the average cost, it is more natural to minimise its limsup anyway, 
which intuitively is its reoccurring maximum value. On the other hand, the peak cost is 
simply defined as PeakCost(a) = supj^. ,^>o} ^("^jt)- 

We will try to answer the following question for priced MMS. 

Definition 5 (Optimal Controllability). Given a priced MMS J^, a hyperrectangular safe 
set S defined by two points I and Ti, an initial point xq € S such that I <xq <u, and constants 
fiavg , IJ'peak ^ 0, find an S-safe controller (7 with the minimum value o//ia,,g AvgCost(c7) + 
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The following example shows that such a weighted cost does not always increase with 
the increase in the peak cost. 

Example 2. The table below shows the values of b]" for each mode m E M ~ {mi,m2,nij,} 
and variable x, as well as the cost of each mode. We assume that all a'p-s are equal to 1. The 
safe value interval for each variable is [0, 1], i.e. 7,- = 0, m, = 1 for all /. 



Modes 


m\ 


1112 


TO3 


m4 




-1 


2 


-1 


5 


urn 
"2 


-1 


-1 


2 


5 


K (cost) 





3 


3 


4 



One can compute that the optimal average cost of any S'-safe controller which uses only 
modes from M' = {m\,m2,m^} is equal to 2 and that average cost is achieved when the 
frequency of each mode from M' is equal to \. At the same time, the peak cost of that 
controller is 3. On the other hand, there is a S'-safe controller for the whole set of modes 
M with peak cost 4 and average cost just g, when the frequency of mode nii is g and 
the frequency of mode OT4 is g. If we assume that the weighted cost of a controller o is 
PeakCost((j) + AvgCost(a), then clearly the second controller has a lower weighted cost 
although it has a higher peak cost. 

The algorithm that we define is designed to cope with systems where the set of modes 
is large and given implicitly like in |I9], where the input is a list of heaters with different 
output levels and energy costs. Each heater is placed in a different zone and any possible 
on/off combination of the heaters gives us a different mode in our setting, which leads to 
exponentially many modes in the size of the input. The cost of a mode is the sum of the 
energy cost of all heaters switched on in that particular mode. We try to deal with this 
setting by using binary search and a specific narrowing down technique to consider only the 
peak costs for which the weighted cost can be optimal. Unfortunately our algorithm will 
not run in time polynomial in the number of heaters, but the techniques used can reduce the 
running time in practice. If we assume that modes are given explicitly as the input then there 
is a much simpler algorithm which runs in polynomial time and is presented in Appendix|E] 
as Algorithm[3] Let us now fix a MMS with costs — {M,N,A,B, n), the safe set S and a 
starting point xq in the interior of S. 

Theorem 5. Algorithni^inds a S-safe feasible periodic controller that optimises the weighted 
cost defined by the peak and average cost coefficients Upeak ond Havg- 

Proof. Let M<p denote the set of modes with cost at most p. First, to find the minimum 
peak cost among all 5-safe controllers we can first order all the modes according to their 
costs and then the algorithm makes a binary search on the possible peak cost p, i.e. guesses 
initial p and checks whether M<p has a 5-safe controller; if it does not then it doubles the 
value of p and if it does then halves the value of p. In may be best to start with a small value 
of p first, because the bigger p is, the bigger is the set of modes and the slower is checking 
its feasibility. 

Second, to find the minimum average cost among all S'-safe controllers, notice that the 
average cost of the periodic controller returned by Algorithm[T]based on the frequency vec- 
tor /* 

X^mGM f*ip^)^ip^\ Therefore, if we find an implementable frequency vector which 
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Algorithm 2: Finds an optimal 5-safe feasible controller from a given xq G S. 



Input: A priced MMS two points I and u that define a hyperrectangle S = {x :J <x <Ti} 
and an initial point xq e S such that I <xq <ii, and constants fl^yg and /Xpeak which 
define the weighted cost of a controller. 

Output: NO if no 5-safe feasible controller exists from jq, and an periodic such controller a 
for which /XpeakPeakCost(c5') + /iavg AvgCost(cT) is minimal, otherwise. 

1 min-size := 1; 

2 repeat 

3 min-size : = 2 • min-size; 

4 Pick minimal p such that M<p, the set of all modes with cost at most p, has size at least 
min-size. 

5 Call Algorithm |T| for the set of modes M<p. 

6 until min-size < \M\ and the call returned NO; 

7 if the last call to Algorithm^returned NO then 

8 1^ return NO. 

9 Perform a binary search to find the minimal p such that M<p is feasible using the just found 
upper bound on the minimal feasible set of modes. 

10 Modify Algorit hm] l|by adding the objective function Minimise Y,meM fmJ^{m) to the linear 
program at line] 1 1 [Let OptAvgCost(M') be the value of this objective when Algorithm[T|is 
called for the set of modes M' . 

11 p' ■■= p' + ^ OptAvgCost(M<p); 

12 repeat 

13 I p' := p' + ^ (OptAvgCost(M<^) - OptAvgCost(M<,y)) ; 

14 until p' decreases; 

15 Pick a peak value p* e [p,p'] for which /XpeakP* + Mavg OptAvgCost(M<p« ) is the smallest. 

16 return the periodic controller returned by the modified version of Algorithm^called for the 
set of modes M<p^ . 



minimises that value, then we will also find a safe controller with the minimum average-cost 
among all periodic safe controllers. This can be easily done by adding the objective Mini- 
mize Lm/*("^)^('") to the linear program at line[TT]of Algorithmjl] However, using similar 
techniques as in TheoremHIwe can show that no other controller can have a lower average- 
cost. The key observation is the fact that AvgCost((j) — limsupj^.^^^^^^/^ " 7i;(m) > 
limsupj(,^^^^g^ fj'^^n{m) = Lm/('")^("^) where just like in the proof of Theoremjlj f^'"^ 
is the frequency of being in mode m up to the A:-th timed action and {jk)kei'>! defines a sub- 
sequence of /^^'"^ that converges for every m. The second inequality holds because a limsup 
of a subsequence is at most equal to the limsup of the whole sequence. 

For any set of modes M' C M, let OptAvgCost(M') denote the minimum average cost 
when only modes in M' can be used. Now, if /Zpeak ~ then it suffices to compute the optimal 
average cost for the whole set of modes to find the minimum weighted cost. Otherwise, 
to find a safe controller with the minimum value of /XpeakPeakCost((7) + /iavg AvgCost((7) 
the algorithm first finds a feasible set of modes with the minimum peak cost and let us 
denote that peak cost by /?„„„. If /Xavg = then this suffices. Otherwise, observe that from 
the definition the cost of each mode is always nonnegative and so the average cost has to 
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be as well. Even if we assume that the average cost is equal to for some larger set of 
modes with peak cost p, the weighted cost will at least be equal to jJ-ps^kP as compared 
to l-ipeakPmin + Mavg OptAvgCost(M<p^jj.^J, which gives US an upper bound on the maximum 
value of p worth considering to be p' = pmin + ■;7^(OptAvgCost(M<„ . )). But now we 

can check the actual value of OptAvgCost(M<p/) instead of assuming it is = and calculate 
again a new bound on the maximum peak value worth considering and so on. To generate 
modes on-the-fly in the order of increasing costs, we can use Dijkstra algorithm with a 
priority queue. □ 

5 Numerical Simulations 




1234567890 123456789 

Fig. 1. Comparison of temperature evolution under optimal and lazy control in an organisa- 
tion consisting of two zones. The safe temperature is between 18°C and 22°C. On the left, a 
periodic controller with the minimum peak cost which was then optimised for the minimal 
average-cost. On the right, the behaviour of the lazy controller The y-axis is temperature 
in °C and the x-axis measures time in hours. The optimal controller used 3 modes and its 
minimum dwell time was 43 seconds. On the other hand, the lazy controller used 5 different 
modes and its minimum dwell time was 180 seconds. 

We have implemented Algorithms [T] and |2] using a basic implementation of the simplex 
algorithm as their underlying linear program solver in Java. The tests were run on Intel 
Core 15 1.7 GHz with 1GB memory available. The examples are based on the model of 
an organisation with decoupled zones as in |9| and were randomly generated with exactly 
the same parameters as described there. We implemented also a simple lazy controller to 
compare its peak and average energy consumption to our optimal one. Simply asking the 
lazy controller to let the temperature oscillate around the minimum comfort temperature 
in each room is risky and causes high peak costs, so our "lazy" controller uses a different 
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approach. It switches any heater to its minimum setting if its zone has reached a temperature 
in the top 5% of its allowable value range. On the other hand, if the temperature in a zone is 
in the bottom 5% of its allowable value range, then the lazy controller finds and switches its 
heater to the minimum setting that will prevent the temperature in that zone dropping any 
further. However, before it does that, it first checks whether there are any zones with their 
temperature above 10% of their allowable value range and switches them off first. This tries 
to minimise the number of heaters being switched on at the same time and thus also tries to 
minimise the peak cost. 

We have tested our systems for an organisation with eight zones and each heater having 
six possible settings, which potentially gives 6** > 10^ possible modes. Zones parameters 
and their settings were generated using the same distribution as described in Q and the 
outside temperature was set to 10°C. The simulation of the optimal and the lazy controller 
was performed with a time step of three minutes and the duration of nine hours. 

First, in Figure [T| we can compare the difference in the behaviour of the optimal con- 
troller as compared to the lazy one in the case of just two zones. In the case of the optimal 
controller, we can see that the temperature in each zone stabilises around the lower safe 
bound by using a constant switching between various modes. On the other hand, for the 
lazy controller the temperature oscillates between the lower and upper safe value, which 
wastes energy. The peak cost was 15 kW for the optimal controller and 18.43 kW for the 
lazy one, while the average energy usage was 13.4 kW and 15.7 kW, respectively. This 
gives 23% savings in the peak energy consumption and 17% savings in the average energy 
consumption. Note that any safe controller cannot use more than 16.9 kW of energy on the 
average, because otherwise it would exceed the upper comfort temperature for one of the 
rooms, so the maximum possible savings in the average energy consumption cannot exceed 
26%. For a building with eight rooms, the running time of our algorithm was between less 
than a second to up to a minute with an average 40 seconds, depending on how many modes 
were necessary to ensure safe controllability of the system. The lazy controller was found 
to have on the average 40% higher peak cost than the optimal controller and 15% higher 
average-cost. In the extreme cases it had 70% higher peak cost and 22% higher average-cost. 
Again, the reason why the lazy controller did better in the average energy consumption than 
the peak consumption is that the comfort zone is so narrow and any safe controller cannot 
waste too much energy without violating the upper comfort temperature in one of the rooms. 

6 Conclusions 

We have proposed and analysed a subclass of hybrid automata with dynamics govern by 
linear differential equations and no guards on transitions. This model strictly generalises 
the models studied by Nghiem et al. in f9l in the context of peak minimisation for energy 
consumption in buildings. We gave a sufficient and necessary condition for the existence of 
a controller that keeps the state of the system within a given safe set at all times as well as 
an algorithm that find such a controller in polynomial time. We also analysed an extension 
of this model with costs per time unit associated with modes and gave an algorithm that 
constructs a safe controller which minimises the peak cost, the average cost or any cost ex- 
pressed as a weighted sum of these two. Finally, we implemented some of these algorithms 
and showed how they perform in practice. 



15 



From the practical point of view, the future work will involve turning the prototype 
implementation of the algorithms in this paper into a tool. Our model can be extended by 
adding disturbances and interactions between zones to the dynamics of the model like in 
Hoi. This, however, would further complicate the already complicated formula given for 
the switching frequency of each mode of the safe controller as defined in Algorithm [T] 
The special cases that could be looked at are the initial state being on the boundary of the 
safe set and checking whether Theorem [T] also holds for all non-Zeno controllers not just 
for controllers with a positive minimum dwell time. An interesting problem left open is the 
decidability of finding a safe controller with the minimum dwell time above a fixed constant. 
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Appendix 



A Proof of Lemma [T] 

We first prove the following proposition. 

Proposition 1. If is in the same mode m during the time interval [fo,fo + f] vve have that 
Xi{to)+t(bf -a'J'Xi{to + t)) < sgn(x,(fo))x,(fo+f) < Xi(/o) - a™x(fo)) holds, where 
sgn is the signum function. 

Proof. Recall that sgn(x) = 1 if x > 0, sgn(x) = — 1 if x < 0, and sgn(x) = if x = 0. Notice 
that x, (f ) = bi — ai%i{t) attains its minimum and maximum at the ends of the time interval 
[/Ojfo + f]^ because x,- is monotone in t. Therefore, if x,(fo) > 0, i.e. sgn(x,(fo)) — 1 and x; 
is increasing in f, then for all c e [fo,fo +f] we have x,(c) < x,(fo) and x,(c) > x,(fo + ?)■ 
From the mean value theorem, we know that for some c e [fo,fo + f] we have x,(fo+f) = 
x,(fo) +fx,(c); the inequality follows and we proceed similarly in the other cases. 

Lemma [l] For at least half of the time duration of every timed action of (7 which uses 
mode e M', Xi{t) > 7,- + 7 holds. 

Proof Recall that amax := max^eM' \aj\, Cmin := min,„gM' l^f ^ "f^'l ™d 'min fmin(cy)- 
Of course Cmin ^ 0, because J a^ ^ li for m € Af' and ?niin ^ 0? because C7 is feasible. Let 
7:= Jnin^iiiL^ which is > 0. 

Let us consider the k-\h timed action of a such that mj^ EM' . Of course we have > t^nin- 
Notice that 7 < ifminCmin. bccause ?minamax > and also, easy calculations show 7 < ^r^. 

^ "max 

If x,(7i._i) > 7; + 7 and Xi{Tii) >li + Y then we are done, because x; is monotonic in the 
time interval [Tk-uTi^] and so x,(r) > 7, + 7 would hold for the whole A:-th timed action. 
We will estimate the longest amount of time the system can be in the same mode while 
x,(f) G [7,;7,- + 7] holds. First, notice that for every m e M' we either have bf — fl"'x > for 
all X e [7,-, 7; + 7] or it is — fl"'x < for all x e [7,, 7,- + 7]. Otherwise, there would be x e 
[7,-, 7, + 7] such that bf - afx = and so bf - afU = af (x - 7,) < a^^^y < a^^x = Cmin; 
a contradiction with the definition of Cmin- Because we just showed that the process cannot 
coverage to any point in the interval [7,-, 7, + 7], either it reaches the lower or upper boundary 
of this interval or it runs out of the allocated amount of time f<.. 

Now, assume that bf — afx < holds in that interval, i.e. the value of x,(f ) is decreasing 
in t. The amount of time x,(f) G [7,,7; + 7] holds is the greatest if the value of variable x, 
starts at 7; + 7 and ends at 7,-. Using Proposition [I] we can estimate this time to be at most 
Y/{afl — bf) < jfminCmin/cmin — jfmin^ which means that during the remaining time equal 
to tjf — jfmin > 5fmin> the value of x,(f ) Stays above 7,- + 7. 

Finally, if bf — afx > holds in that interval, then we can again estimate using Propo- 
sition[l]the time x,(f) e [7,-, 7,- + 7] can hold to be at most Y/{bf — afQi + 7)) < 7/(cmin — 
afj) = \/{^-2^-af) = i/( 2+'min"max _^m^ ^ Thcrcforc, again the amount of time 

the value of x,- stays outside of the interval [7,-, 7,- + 7] is greater than the amount of time spent 
inside of it. □ 
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B Proof of Lemma |2] 



Lemma|2] Either there is a variable which is critical for all good frequency vectors or there 
is a good frequency vector in which no variable is critical. 

Proof. Recall that Fi{f,y) Y.meM f{'^'^){bT ~ '^Ty) ^^i" ^ frequency vector /, variable 
X,- is called critical if /^(/Ji) = or Fi{f,Uj) = holds. Finally, a frequency vector /is good 
if for every variable x, the following conditions hold (I) Fi{f J) > 0, and (II) Fi{f,u) < 0. 

Now, let us assume that there is no variable which is critical for all good frequency 
vectors. If so, for each variable x, we can find a good frequency vector f for which x, 
is not critical. But if we consider the frequency vector / = j^jjUj fj^ then no variable can 

be critical in /, because Fi{j^Y.j fjJi) = jjLjFiifjJi) > + jjFi{f~li) > It and also 
Fi{h^jfi,iii) = ^ LjFi{fj,Ui) < + jjFi{f,Ui) < Ui, which also proves that such de- 

fined frequency vector / would be good. □ 



C Proof of Theorem 13 

Theorem|4] For a given MMS , hyperrectangular safe set S described by two points l,u, 
starting point xq G S, checking whether there exits a S-safe controller with minimum dwell 
time > 1 is PSPACE-hard. 

Proof. As mentioned before, the proof is similar to the PSPACE-hardness proof in f2] of 
the discrete-time reachability in constant-rate MMS, which reduces from the acceptance 
problem for linear bounded automata (LBAs), so we first formally define LBAs. 

An LBA is a tuple {E,Q,qo,qA,5), where Z is a finite alphabet, 2 is a finite set 
of states, qo £ Q is the initial state, and qA E Q is a distinguished accepting state, and 
5 C Q X E X Q X E X { — l,Q,+l} is the transition relation. We can assume the alphabet 
E to be the binary alphabet {0, 1}. Let us explain the interpretation of the elements of the 
transition relation. Let T — {q,a,q' ,b,D) e 5 be a transition. If LBA is in state q E Q and 
its (read/write) tape head reads character a, then it writes character b at the current cell and 
moves its head in the direction D (left if D = — 1, right if D = +1, and unchanged in D = 0), 
and it changes the state to q'. Let w E E^ he an input word. Without loss of generality we 
assume that the LBA uses exactly L tape cells, which hold the whole input word of size L at 
the very beginning. Hence configuration of the LBA can be written as {q,p,bobi . . ./jl-i) 
where q is the current state, p is the position of head such that < p < L, and bobi . . . i 
is the current contents of the tape. Notice that such an LBA has only |2| -i • \E\^ different 
configurations and so if LBA does not enter the accepting state q^ for a given input word 
after that many steps then it never will. 

We show a reduction from the acceptance problem for LBAs to the problem of the 
existence of a safe controller with its minimum dwell time > 1 for linear-rate MMSs. For a 
given LBA £/ and input word w — bobi . . .bi^i, we define LBA Jf^ = {M,N,A,B) where 
there is one variable Xg p for each state q E Q and head position < p < L, one variable 
x; for each input cell where < / < L, and one variable Xp ^ for each head position 
0< p < L and direction T E {— 1,0,+1}. The safety condition S simply requires that the 
value of all these variables at all time belong to the interval [—1, 1]. Recall that 7i.(<7) = 
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Y4=iti is the total time elapsed up to step k of the controller <7 of Jf^. A configuration 
{q' ,p',bobi . . .^L-i) of machine at step k is encoded in the variables of in a way 
that Xq^p{Tii{a)) > iff q = q' & p = p' and we have x^ p(r;t((7)) < otherwise; and also 
for all < J < Z, we have x,(r^(ff)) > iff the input cell hi = 1 and we have x,(7it(o')) < 
iff bi = 0. There is also a special variable xa which deals with the case when the input word 
is accepted and special variable xt which as the only variable has a different safety interval 
[-1,-0.9]. 

We will now construct a gadget used in our reduction. We say that variable Xj, (where 
ve{i:0<i<L}U{{q,p):q€Q,0<p<L})m mode m is of (i) type 1 if b'^ = 2 and a™ = 
1, (ii) type -1 if fe^ = -2 and a™ = 1, (iii) type if fo™ = and < = 1/(1 1 • |e| • L • 
Assume that the current mode is m, time is to and the value of variable Xy is safe, i.e. x := 
Xv(?o) S [—1,1]. Notice that if the type of this variable is 1 in mode m, then after time t its 
value becomes 2+ (x—2)e~' which belongs to the safe set if t = l andx < 2 — e w —0.718, 
but for [ > 1.1 > ln3 its value is never safe. Similarly for type -1, the new value is safe 
for ? = 1 and x > e — 2 « 0.718, but after time ?>l.l>ln3itis never safe. Finally, for a 
variable Xy of type 0, we can compute that the relative change in the value of this variable 
after time ?< 1.1 • |e| -L- [Xj^ to be \e-<'x-x\/\x\ = l-e-<' < l-g-ro <0.1, i.e. its 
value does not change by more than 10%. Moreover, a constant switching between a mode 
of type 1 and -1 for some variable while spending in each mode amount of time t = \ results 
in a trajectory that converges to '^^ {^-2 ~^ ~ —0.924 on odds steps and « 0.924 on even 
steps independently of the starting point. Therefore, assuming the initial value of a variable 
is either 1 or -1, only modes of type 1 or -1 are used, and the system is safe at all time, the 
closest this variable can get to value is after the first step of length t = \. That value is 
2 — 3e^' ~ 0.896 for a variable that starts at —1 and —0.896 for a variable that starts at 1. If 
we now allow that variable to switch to type as well, then the closest such a process can 
get to is to let the just computed value decay towards by using modes where it has type 
only Its absolute value after time f < 1.1 • jgj • L • jZj^ would be still > 0.896 * 0.9 « 0.8 
which is > 0.718. Assuming the number of timed actions in controller a does not exceed 
|2| • L • |X 1^, the minimum dwell time of each action is > 1 and each mode has at least one 
variable of a nonzero type then we have the following. A variable can remain safe in two 
consecutive timed actions if and only if its type changes from 1 to or -1, from -1 to or 
1, and from to or to type -d where d was the last nonzero type this variable had before 
0. If we interpret the value of a variable above 0.718 as 1 and below —0.718 as 0, then we 
can look at each timed action in a mode of type 1, -1, and as adding 1, subtracting 1, or 
keeping the value of that binary value constant, respectively. 

Now, each transition T = {q,a,q\b,D) G 5 and head position p is simulated using two 
modes Mp^x and M'^. Mode Mp ^ checks whether the letter in the p-th cell is a e £ = {0, 1}, 
while the mode M^^ changes the content of the p-th cell to be {0, 1}, and moves the head 
to a new position. The rates of various variables in these modes are set in such a manner that 
a schedule is safe if and only if it respects the transition structure of The main features 
of the construction are the following. 

- In mode M^ t the type of variable is -1 if a = 1 and is 1 otherwise; the type of all 
other variables is 0. This mode checks whether the character at head position p is a. 

- In mode ^ the type of variable x^ is if a ^ ^. If a = ^ then the type of variable Xp 
is 1. If D = —1 (D = +1) then variable Xq^p has type -1 and Xqi p_i has type 1 (Xg',p+i 
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has type 1). While if D = then p has type for all q ^ Q and < p < n. The type 
of all other variables is 0. 

- To make sure that mode Mp_T is immediately followed by mode M'^ ^ in every safe run, 
the type of the variable x^.^ is 1 in mode Mp ^, and -1 in mode M'^ ^, while it is of type 
in every other mode. 

- The special variable xj- has type in every mode and safe set [— 1 , —0.9] , so the system 
is safe as long as the decay from its initial value —1 is not greater than 10%, which does 
not happen before 1.1 • |2| • L • |Z|^ amount of time has elapsed. This guarantees that 
MMS becomes unsafe once we cannot guarantee that it follows the transitions of 
LBA .i^ exactly. 

- For each head position < p < L we have two special modes Mj\ p and p, which 
deals with the case when LBA jz/ enters the accepting state q^- In p variable x^^ p 
has type -1, variable x^ has type 1, and all other variables x,, have a special safe type 
S such that b'^'^''' = — 1 and a/^ '' = 1. On the other hand, in ^ variable x^^,p has 
type 1, xa has type -1, and all other variables have type S. Notice that once the system 
enters mode p it can keep switching between modes p and ^ forever while 
being safe. This is because, as it was pointed out before when all timed actions have 
delay t — I, the values of variables x^,^ p and xa in the limit keep switching between 
sa —0.924 and ss 0.924 and all other variables, which have type S, will converge from 
above to — 1 ; which belongs to the safe set of all of them. 

Note that each of the constructed modes has at least one variable of a nonzero type. Let the 
initial state xq of Jfg/ be such that x, (0) = 1 if the i-th input character = 1, x^(,,o(0) = 1 
(i.e. the initial state of is {qo,0)), and for all other variables we have x,,(0) = — 1. Notice 
that if the LBA £/ accepts the input word then there exists a S'-safe controller in MMS J^,^ 
from the initial state xq, which at some point enters mode p for some head position p 
and keep switching between Ma.p and p. This has to happen before the value of variable 
xj- becomes too close to to violate its safety condition; until that moment Jifj^ models 
precisely the configurations of LBA £/ and its transitions. On the other hand, there is a 
safe feasible controller only if Ma.p is entered at some point, because otherwise variable 
xj will violate its safety condition eventually. So if a safe feasible controller for Jff^^ with 
minimum dwell time > 1 exists, then LBA £/ has to enter the accepting state qA within 
its first |2| ■ ^ ■ l-^l^ timed actions. This shows that accepts the input iff has a safe 
feasible controller with minimum dwell time > 1 . □ 

D Proof of Corollary [1] 

Corollary [l] Deciding whether there exists a feasible S-safe controller for a given MMS 
with a mode order specification graph G, initial mode mo, a hyperrectangular safe set S 
given by two points I and u and an initial point I <xq <u can be done in polynomial time. 

Proof. Recall that a controller {{nii ,ti) , {m2,t2) , ■ ■ ■) respects the mode order specification 
graph G with initial mode mo, if for all / > 1 we have (m,,m,+i) € G and mi = mo. Notice 
that the system Jif under any feasible S'-safe controller will eventually end up in one of 
the strongly connected components (SCC) of the graph G reachable from mo, because the 
controller is non-Zeno and each timed action takes only a finite amount of time. Also note 
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that the safe controller returned by Algorithm [T] re turns a periodic controller which cycles 
over all the modes given to it in exactly the same order as they were passed. Therefore, we 
can make sure the controller returned satisfies the mode order specification G by passing 
the mode sequence in a particular order. For an SCC C of G consisting of modes C = 
(m'jjTOj, . . . ,m[) that sequence of modes, denoted by pc, is as follows: it starts at m\, then 
follows any path of modes in G to m'j, . . ., then any path of modes to m[, and finally any 
path of modes to m\; all these paths exist because C is an SCC. The sequence of modes pc 
can repeat some modes, but it satisfies the mode order specification graph G, each mode of 
C occurs at least once and no mode outside C occurs along pc- It is quite easy to see that 
there is a feasible S'-safe controller for an initial state in the interior of the safe set for the 
set of modes C iff there is one for the sequence of modes pc- 

Now, for each SCC C of G reachable from the initial mode mo we check using Algorithm 
[TJwhether there is a feasible 5-safe controller for the mode sequence pc and initial point xq. 
If there is no such SCC then there is no feasible 5-safe controller which respects the mode 
order specification from xq either, because while using such a controller the system has 
to eventually repeat only modes from a single SCC of G. On the other hand, if there is such 
an SCC C, then we construct a feasible 5-safe controller from xq as follows. First, we find 
any path in G from ihq to the very first mode in the mode sequence pc- We create a finite 
timed actions sequence based on this path where the time delay of each mode is set to such 
a small value that when starting at the system will still remain within the safe set S at the 
very end of it. Such a value always exists when the initial point of Jff is in the interior of 

the safe set. To be precise, it suffices to set it to min,g/ ™max°''|fe'"-a''''T(^('/)|'''^ ) ■ '■^^ point 
reached at the end of this finite timed sequence hexiQS and, because the coordinates of 
that point are likely to be irrational, let x/ and x„ be any two points with rational coordinates 
such that J <xi <xi < ^„ < m holds. In other words, x/ and x„ are simply some polynomial 
size lower and upper bounds on the coordinates of the point xi . Notice that the feasible 
controller for the mode sequence pc that we found earlier may not be safe when the system 
starts at xj instead of xq, because the value of s may need to be smaller for the system 
to remain safe. The new value of s should be the minimum of the value of s for the mode 
sequence pc when the initial point is xi and when it is x„. Finally, once we combine the finite 
timed action sequence, which starts at the mode mo and xq, with the feasible controller for 
the mode sequence pc, which is safe for any initial point between x; and x„, we will get a 
feasible S'-safe controller that respects the mode order specification graph G. □ 

Notice that if one would like to extend the model and allow the system to remain in the 
same mode forever, instead of forcing it to constantly switch between modes, it suffices to 
add in G an edge from each mode to itself. 
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E Simpler Algorithm for Finding an Optimal Controller 



Algorithm 3: Finds an optimal 5-safe feasible controller from a given xq e S. 

Input: A priced MMS two points I and u that define a hyperrectangle S = {x :J <x <Ti} 
and an initial point xq e S such that / < xq < m, and constants /iavg and /Xpeak which 
define the cost of a controller. 

Output: NO if no 5-safe feasible controller exists from xq, and an periodic such controller a 
for which /XpeakPeakCost(CT) + /iavg AvgCost(cT) is minimal, otherwise. 

1 Modify Algorit hm] 1 [by adding the objective function Minimise £,„gjvf/ f,„7t{m) to the linear 
program at line] 1 1 [Let OptAvgCost(M') be the value of this objective when Algorithm[T|is 
called for the set of modes M' . 

2 Let P = {7l{m) : m e M} be the set of all different costs of modes of J^. (Notice that only 
these costs can be potential peak costs.) For a given p let M<p denote the set of modes with 
cost at most p. 

3 Iterate over p ^ P and find the one with the smallest value of /ipeakP + Mavg OptAvgCost(M<^) 
and denote it by p* . 

4 return the periodic controller returned by the modified version of Algorithm|T]called for the 
set of modes M<p» . 
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